Skip to content
  • Contact Us
  • Services
  • Store

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  • Contact Us
  • Services
  • Store
Tuesday, April 20, 2021
Sodinokibi (aka REvil) Ransomware
adfind cobaltstrike ransomware revil Sodinokibi

Sodinokibi (aka REvil) Ransomware

March 29, 2021

Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind … Read More

Bazar Drops the Anchor
anchor bazar cobaltstrike

Bazar Drops the Anchor

March 8, 2021

Intro The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to similarities in code and usage … Read More

Laravel Apps Leaking Secrets
rdp

Laravel Apps Leaking Secrets

February 28, 2021

An attacker logged in through RDP a few days ago to run a “smtp cracker” that scans a list of IP addresses or URLs looking for misconfigured Laravel systems. These … Read More

Bazar, No Ryuk?
adfind bazar cobaltstrike ryuk

Bazar, No Ryuk?

January 31, 2021

Intro In the fall of 2020, Bazar came to prominence when several campaigns delivered Ryuk ransomware. While Bazar appeared to drop-off in December, new campaigns have sprung up recently, using … Read More

All That for a Coinminer?
coinminer rdp

All That for a Coinminer?

January 18, 2021

A threat actor recently brute forced a local administrator password using RDP and then dumped credentials using Mimikatz. They not only dumped LogonPasswords but they also exported all Kerberos tickets. … Read More

Trickbot Still Alive and Well
adfind cobaltstrike trickbot

Trickbot Still Alive and Well

January 11, 2021

In October of 2020, the group behind the infamous botnet known as Trickbot had a bad few days. The group was under concerted pressure applied by US Cyber Command infiltrating … Read More

Defender Control
defense evasion Tools

Defender Control

December 13, 2020

Defender Control is a free software utility we’ve come across in various intrusions. The creators describe it by saying the following: What is certain however is that it [Windows Defender] … Read More

PYSA/Mespinoza Ransomware
empire koadic mespinoza psexec ransomware rdp

PYSA/Mespinoza Ransomware

November 23, 2020

Intro Over the course of 8 hours the PYSA/Mespinoza threat actors used Empire and Koadic as well as RDP to move laterally throughout the environment, grabbing credentials from as many … Read More

empirekoadicmespinozaransomwarerdp
Cryptominers Exploiting WebLogic RCE CVE-2020-14882
cryptominer CVE-2020-14882 exploit

Cryptominers Exploiting WebLogic RCE CVE-2020-14882

November 12, 2020

Intro Towards the end of October, we started seeing attackers take advantage of a WebLogic RCE vulnerability (CVE-2020-14882). Recently, SANS ISC talked about this vulnerability being exploited in the wild, … Read More

Ryuk Speed Run, 2 Hours to Ransom
adfind bazar cobaltstrike ransomware ryuk

Ryuk Speed Run, 2 Hours to Ransom

November 5, 2020

Intro Since the end of September Ryuk has been screaming back into the news. We’ve already covered 2 cases in that timeframe. We’ve seen major healthcare providers, managed service providers, … Read More

bazarcobalt strikekegtapransomwareryuk

Posts navigation

1 2 3 Next

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Follow us on Twitter

My Tweets

Recent Posts: The DFIR Report

Ryuk in 5 Hours

Ryuk in 5 Hours

Intro The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial … Read More

Ryuk’s Return

Ryuk’s Return

Intro The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as … Read More

NetWalker Ransomware in 1 Hour

NetWalker Ransomware in 1 Hour

The threat actor logged in through RDP, attempted to run a Cobalt Strike Beacon, and then dumped memory using ProcDump and Mimikatz. Next, they RDPed into a Domain Controller, minutes … Read More

Dridex – From Word to Domain Dominance

Dridex – From Word to Domain Dominance

Ransomware Again…But We Changed the RDP Port!?!?!

Ransomware Again…But We Changed the RDP Port!?!?!

Here’s another example of threat actors brute forcing RDP to install ransomware, this time the brute forced system was not using the default RDP port. The threat actors installed ransomware … Read More

Translate

Proudly powered by WordPress | Theme: FreeNews | By ThemeSpiral.com.